Friday, May 29, 2009

Rootkit Analytics is proud to announce the release of SpyDLLRemover v2.

SpyDLLRemover is the standalone tool to effectively detect and delete spywares from the system. It comes with advanced spyware scanner which quickly discovers hidden Rootkit processes as well suspcious/injected DLLs within all running processes. It not only performs sophisticated auto analysis on process DLLs but also displays them with various threatlevels, which greatly helps in quick identification of malicious DLLs.

One of the unique feature of SpyDLLRemover is its capability to free the DLL from remote process using advanced DLL injection method which can defeat any existing Rootkit tricks. It also uses sophisticated low level anti-rootkit techniques to uncover hidden userland Rootkit processes as well as to terminate them.

Newer version comes with other cool features such as HTML based report generation, sorting the process/dll list for quick analysis, enhanced user interface etc.

Thursday, May 28, 2009

Unique Sploits Pack is another alternative offered by the underworld of the illegal sale of Russian crimeware. However, it has a peculiarity in relation to others of its kind: it incorporates a module called Vparivatelrogue through which spreads through social engineering.

In this case, this is a beta version of this crimeware that apparently is fairly active as in the few days we have been following, after "violating" your authentication scheme, has not achieved a striking level of infection by therefore has not achieved a significant number of zombies.

Still, this threat is active and spreading threats, but before seeing what the malicious code that spreads look a little more about some statistics that allow us to have a sufficiently specific to the activity which has the botnet.

The first one with a poor detection rate of 27.50% based on 40 antivirus engines (11/40) and the second with a rate slightly higher 43.59%, ie 17 of 40 antivirus companies detect the threat.

These malicious codes are spread through various vulnerabilities, some of which are newer than others, but despite the antiquity of most of the vulnerabilities exploited by this crimeware, remain very effective.

Not only exploit vulnerabilities in popular web browsers (IE, Firefox and Opera) but also two vulnerabilities PDF readers currently in widespread use: Adobe Acrobat Reader and Foxit Reader.

As mentioned in the beginning, now this package is spreading malware crimeware proactively exploiting different vulnerabilities on computers victims, and despite not having the time by a significant number of controlled equipment, it's a potential threat the health system which undertakes to maintain the security updates (OS and applications) per day.

Sunday, May 24, 2009

Some of them want to use you. Some of them want to get used by you. Some of them want to abuse you. Some of them want to be abusedI wanna use you and abuse you. I wanna know what's inside you.

Eurythmics - 1983

Any layer of security to implement in an environment of information seeks to protect our assets from potential hostile and harmful actions, in which malicious code is one of the greatest dangers which are directed against and try to protect these security schemes.

In this sense, the applications developed to spread crimeware threats and form botnets (eg, Zeus, Unique, LeFiesta, YES Exploit, among many others) where each node then infected (zombie) is administered via the web through a control panel, are setting a trend difficult to remove malicious Internet.

However, it's very pleasant to see such protective measures that we seek through various schemes, in many cases, no account is taken of the side of the crimeware :D leaving open the door of the "park" for many of us we can "amused" by exploiting their weaknesses.

And this is not so unreasonable when you consider that this is program code that, like any other, are always prone to a number of programming bugs, bad settings or default settings.

Thus, the lack of security played against him a copy of a known and active management and control kit called YES Exploit System ...

...that after his bypass authentication scheme could have access to detailed information on each node that is part of the botnet that is administered through the crimeware.

Consequently, who handles a large amount of computers, ended up being manipulated to be :-)

However, it's a good opportunity to see statistical data stored by malicious applications. Among them:

Browsers and their respective versions which are exploited vulnerabilities

Different platforms violated

Controlled equipment

Country of origin of each infected node

In addition to other relevant information to the attacker knows what kind of exploit to be used in relation to technology that is used (IE 7 and Windows XP).

However, we also note that there are teams controlled MacOS and Linux platforms. While both platforms don't have as much victims as in the case of Microsoft platforms, marking a trend slowly on malicious code developed for these platforms.

Wednesday, May 20, 2009

The cases of spreading malicious code through various methods of deception are an essential part in the cycle of spreading malware that developers employ.

The resources offered through the Internet for purposes of entertainment are often among the most exploited targets for the dissemination of harmful code, and to that end I have received many inquiries about sites with material that hosts children's entertainment of any injection of malicious code or downloading malware.

This proves the "enthusiasm" that the creators and disseminators of malware placed in these criminal acts clearly seeking to mislead users when trying to attract attention to methods of propagandists promoting malware through fake sites.

Thursday, May 14, 2009

Waledac is the name of the trojan to recruit zombie PCs to be part of their botnet, whose main function is the propagation of one of the most common spam that we receive daily: Canadian Pharmacy.

Many security professionals say it's the evolution of another famous botnet: Storm, or Nuwar depending on the antivirus company.

Like Storm, one of the most interesting features of Waledac, besides the use of advanced techniques such as Fast-Flux, are the strategies of social engineering, which in his case began with a propaganda campaign on the day of love and renewed every so often, with his latest maneuver a course program for sending SMS messages.

However, Waledac also uses web positioning techniques used in unethical ways to attract strategic arrivals to different domains, which is now redirected to the fraudulent online pharmacy, which used to spread the trojan, called Black Hat SEO.

This responds to the campaign of Black Hat SEO Waledac that used to attract potential victims, and increasingly malicious code used to achieve a web positioning so that ensures early access to malicious sites created to spread malware.

Sunday, May 10, 2009

A different crimeware packages that we have briefly dealt with in some time, it adds Adrenalin.

Another Russian crimeware home only a few months of life, and doesn't purport to be better or worse than others of his family, nor, almost certain dislikes "work" in conjunction with other crimeware :-)

This last sentence appears to advertise a sale, actually reflects the current situation a little of the spread of malware and crimeware employment. Thing that we saw through Scripting attack II.

However, it has some characteristics that differentiate it from others, perhaps it would also show its high cost compared to its competitors (approximately USD 3500) such as:

Collection of digital certificates,

Different methods of injection of viral code,

Makes use of local pharming redirects required to achieve without the user's perception,

Implements keylogger with screen capture,

Implements avoidance techniques to avoid being detected by security tools like firewalls and antirootkits,

Specific modules for cleaning of fingerprints,

Encryption of the information it collects.

Among other things, has another striking feature that isn't novel but rather particular: remove malware from the competition :-)

As seen clearly, the trend that the Internet is the greatest exponent of attack platforms, notably through crimeware applications as we have been commenting regularly on this blog.

Still, there are a couple of questions that are around in my head, and it basically translates into: why there are more and more automated crimeware packages? Why the high cost?

Trying to analyze it a little bit, maybe we have the answers before the eyes in everyday life who are dedicated to the field of security. The answer to your first question, may have a biased perspective on money channeled, that is, of course, information is the documentation of best value (however small it's and regardless of whether classification) and taking into account that, cyber-criminals looking to get money with this information, transformed the world of malware in a big business, highly profitable and difficult to break.

On the other hand, this is a problem that can not be linked through obviate the fact that it's offered as crimeware and 24x7 technical support, which means that more and more criminal-minded users are running as candidates in searching for the economic benefit that the crimeware, the larger the word, is as criminal organization via Internet.

On the second, perhaps the answer is directly related in that the cost of buying a kit of this style, can be recovered very quickly, especially bearing in mind that the botnets that are administered through these applications are often rented to other botmasters, others spammers or other characters in this dark underworld, as I mentioned in another post, reminds me of the stories of William Gibson in Neuromancer.

Friday, May 8, 2009

As Kevin Mitnik once said "People aren't prepared for the deception through technology." Perhaps, this calculation agree on which many of us who specialize in security field, is part of the answer to why the effectiveness of this complex technical thing?

Basically, it's again the kind of social engineering drawing visual images to spread pornographic malware.

The mode of operation, as always, is the image of the video course, but when you click to display an alert window appears indicating the lack of a codec, running and trying to spread malware.

In this case, the strategy is part of the campaign to spread a known scareware called WinPC Antivirus whose detection rate is 80%.

This shows the "universal" because the technique does not respond to a specific type of malware is a vector and highly exploited to trick users and spread through the threat of a widespread demand in Internet issues, as is the pornography.

Thursday, May 7, 2009

It's clear that the use cybercriminals wasted much time thinking about new ways of propagation/infection and strategies for social engineering with the aim of attracting more attention as "slaves" on the Internet :-)

Though it may seem a trivial matter, is anything but casual. But a response to organized crime from which malicious code is the main weapon of crimeware current Russian industry and one of its greatest exponents.

However, it appears that "bad guys", occasionally taking a break to "play" to improve the design, from a visual point of view of their creations.

This is the case of a not new (and I remember seeing something about it), created to improve the skin's view the administration of the botnet Zeus. Surely, created by some bored botmaster to sell the same control interface :-)

This template, completely changes the view of the boring and monotonous default interface that brings Zeus, transforming it into something ... a little more sympathetic. In fact, some versions of this crimeware will be sold with the template already built.

So Zeus is by default in this case, during the installation process of the botnet and...

...and during the authentication process to access the administration panel.

In applying the template, the view of the panel becomes the following:

As for the authentication interface, is as follows:

The design, as the template name suggests, refers to offenses involving unlawful use of numbers and credit cards by a third party (carding) and the picture does justice to it.

This gives us a clear idea about what they are looking for those who operate from the village of cybercrime. Fraudulently obtain money by exploiting the human factor.

Wednesday, May 6, 2009

Abstract: An EventPair Object is an Event constructed by two _KEVENT structures which are conventionally named High and Low. EventPairs are used for synchronization in Quick LPC, they allow the called thread to continue the current quantum, reducing scheduling overhead and latency. Now by looking to the basic operations that a debugger need to accomplish, we can see that these tasks are conceptually simple, when the target is normally running, the debugger is sleeping, but when certain events occur Dbg Wakes Up. Became clear that there is a strict relation between generic Event Objects and Debuggers cause they have to create a custom Event called DebugEvent able to handle exceptions. Due to the presence of Events owned by the Debugger, every information relative to the Events of a normal process differs from a debugged process.

Tuesday, May 5, 2009

Deception strategies are diverse and only limited to the imagination of those who exploited. Considering also that the sites with pornographic content are one of the resources with the greatest demand on the Internet, it's logical to think that they are exploited for malicious as usual through social engineering of the visual type.

This is a resource that probably no malware propagator think shelve for a long time, and regardless of the type of presentation used to display a pornographic video course that will never be, the goal is always the same means and money .

The following sequence of images is a concrete example that represents the technique of social engineering that will not go out of style. Hypothetically speaking, suppose that we have come to the next site through one of the many routes proposed by the Internet. This is usually the point where we tend to "choose" the type of video...

...after selecting which is the typical streaming video window.

After a few seconds, a reminder of the need to install a component that allows us to view web content, and immediately offered the download component of course is actually a malware with a low rate of detection.

However, the page was created solely to carry out the spread of malware offering, in addition to the content porn video player a course called BB-Player. A trojan detection rate with a much more acceptable than the previous binary.

Sunday, May 3, 2009

Register multiple domains on a single IP address, is one of the methodologies used for the propagation of scareware programs because it allows a consistent positioning web unethical by the way, expanding the horizon of possibilities that a desperate user reaches web that promises, through its false product, its magical way of solving problems or implement a so-called security layer to your computer to potential infections.

Obviously, the scareware (or rogue) as any of the malicious code is added to the current criminal organization they represent as an active and constantly looking for economic gain, often as part of crimeware packages such as Unique Sploits Pack, which incorporates a module for the spread of scareware.

In this case it's the scareware MalwareRemovalBot, although it isn't anything new, it's now manifesting through different domain names hosted on the same IP address (174.132.250.194). Surely using virtual servers.

Friday, May 1, 2009

BHO stands for Browser Helper Objects which are plugins written for Internet Explorer to enhance its capabilities. But this feature is being misused by many spyware programs which monitor user's browsing habits and also steal the users credentials silently. Also some of the BHO's slow down the system considerably.

BHORemover helps in quick identification and elimination of such malicious BHO's present in the system. It not only displays detailed information about each BHO entry but also provides online verification mechanism which makes it easy to differentiate between legitimate and malicious plugins.

Current version of BHORemover comes with enhanced user interface with cool look & feel, sorting mechanism to arrange the entries based on various parameters and online verification of BHO using ProcessLibrary.com

'Windows Service' is a program designed to perform specific service which is started automatically when Windows boots and runs as long as System is up and running. Services normally run with 'System' privilege thus enabling them to execute higher privilege operations which otherwise cannot be performed by normal processes. Due to these advantages, often malware applications use services to monitor and control the target system.

In this direction, AdvancedWinServiceManager makes it easy to eliminate such malicious services by separating out third party services from Windows services. By default it shows only third party services along with more details such as Company Name, Description, Install Date, File Path etc at one place which helps in quickly differentiating between legitimate and malicious services. It comes with rich features such as detecting hidden rootkit services, exporting the service list to html based log file, displaying only third party services etc. All these unique things make it stand apart when compared to 'Windows Service Management Console'.

About Us

Evilfingers is a collection of individuals devoted to raising the bar in the field of information security. Evilfingers blog is offered to the greater information security community to help our colleagues analyze threats and to find solutions.RootkitAnalytics is a web portal to educate and protect our users from the current day rootkits around the world. Check out our Tweets to stay posted on what's happening at our end.

ISJobs is our InfoSec job portal/blog, where we list the new job openings to help our community. Help yourself to find a job by vising our blogs regularly.

Our Followers

Books we like...

Technology Partners - Malware Intelligence

Malware Intelligence is a research site dedicated to everything related to malware and crimeware in particular, and information security in general, focusing closely related to the field of intelligence.

Bugspy.net - Our New Technology Partner

BugSpy crawls the web in search of the latest bug reports in open source software. It tries to display only open bugs. I also tries to identify security bugs automatically.